Connecticut, California and Colorado Announce Joint Investigative Privacy Sweep

Press Releases 09/09/2025 Connecticut, California and Colorado Announce Joint Investigative Privacy Sweep States Investigating Businesses Refusing to Honor Consumers' Right to Opt-Out of the Sale of Their Personal Information (Hartford, CT) - Connecticut Attorney General William Tong and the attorneys general of California and Colorado and the California Privacy Protection Agency today announced an investigative sweep involving potential noncompliance with Global Privacy Control, or GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer's request to stop selling or sharing their personal information to third parties. As part of the sweep announced today, the coalition sent letters to businesses that do not appear to be processing consumer requests to opt out of the sale of their personal information submitted via the GPC as required by law and requested that those businesses come into immediate compliance. This sweep reinforces the three states' 2025 Data Privacy Day educational efforts on the GPC. "In Connecticut, you have the right to access, correct, and delete personal data stored and collected by businesses, and the right to opt-out of the sale of personal data and targeted advertising. And you can install a simple browser extension that indicates your choice to opt-out of this type of commercial tracking. While many businesses have been diligent in understanding these new protections and complying with the law, we are putting violators on notice today that respecting consumer privacy is non-negotiable," said Attorney General Tong. "Californians have the important right to opt-out and take back control of their personal data - and businesses have an obligation to honor this request," said California Attorney General Rob Bonta. "Today, along with our law enforcement partners throughout the country, we have identified businesses refusing to honor consumers' requests to stop selling their personal data and have asked them to immediately come into compliance with the law. California and our sister states are committed to continued collaboration to actively enforce consumers' important privacy rights and are paying close attention to business compliance with the Global Privacy Control." Data comes from nearly everywhere online, even when people think they're not revealing anything. It has been estimated that the average person produces 1.7 MB of data per second or 6,120 MB of data per hour. Websites can track and amass personal information and behavioral data like pages visited, time spent on pages, clicks, and detailed purchase information to create and share profiles and inferences about consumers. Apps and other software can collect and transmit personal information as well, including sensitive personal information like a user's precise geolocation. Preventing third parties from receiving this information is a key step to protecting private information and stopping the proliferation of consumer data in the online ecosystem. YOUR RIGHT TO OPT-OUT IN CONNECTICUT OPTION 1: Enabling Global Privacy Control The GPC is a signal that allows users to automatically indicate to the websites they visit that they would like to opt-out of the "sale" of their personal information. The GPC signal is an easy way to opt-out because a consumer does not have to make individualized requests to opt-out on each website they visit. GPC can be downloaded via a browser extension; some browsers offer a GPC setting. Installing GPC is simple and ensures your personal is protected. For information on GPC, please see here. Click here for a video produced by Wesleyan University's Privacy-Tech-Lab to show you how to install GPC. OPTION 2: Opt Out One Business at a Time Businesses that sell personal information must provide a clear and conspicuous link on their website that allows you to submit an opt-out request. Businesses cannot require you to create an account to submit your request or ask for additional information to process your opt-out. If you can't find a business's link, review its privacy policy to see if it sells or shares personal information for purposes of targeted advertising. If the business does, it must also include that link in its privacy policy. If an opt out link is not working or difficult to find, you may report the business to our office by filing a complaint online with the Office of the Attorney General. The Connecticut Data Privacy Act The CTDPA was enacted in July of 2023-one of the first comprehensive consumer privacy laws in the country. Several of the CTDPA's key provisions have subsequent effective dates, including the critical requirement that controllers honor global opt out preference signals ("OOPS") sent by consumers. The OOPS provisions allow consumers the ability to opt out of targeted advertising and the sale of their personal data across all activities online in one place. Connecticut consumers can now send their OOPS through a variety of platforms to "signal" to websites that they are opting out of targeted advertising and the sale of their personal data. Each consumer opt out "signal" will be sent automatically by using, for example, the Global Privacy Control through a privacy protective browser or browser extension. Over 40 million people already use the GPC. All businesses covered by the CTDPA must respond to a consumer's OOPS. This signal must be sent from a platform or mechanism that enables the business to accurately determine whether the consumer is a Connecticut resident. If a consumer's OOPS conflicts with that consumer's previously given privacy choice or their voluntary participation in that business's loyalty rewards or discount program, the business must still comply with the OOPS. Though, the business may notify the consumer of the conflicting signals and ask the consumer to confirm their choice with the understanding that it would affect their previously given privacy choice or participation in their loyalty rewards or discount program. As of January 1, 2025, businesses subject to the CTDPA must treat Connecticut residents' privacy preferences submitted through browser signals as requests to opt-out of sales or targeted advertising. To implement the GPC, businesses can get started here. Click here for a video produced by Wesleyan University's Privacy-Tech -Lab showing how businesses can implement global privacy control. Consumers should note that not all Connecticut businesses are covered by the CTDPA. The law includes specific revenue thresholds and exempts certain industries regulated by other privacy frameworks-such as health care companies subject to the Health Insurance Portability and Accountability Act of 1966 (HIPAA). For more information about the CTDPA, visit the Attorney General's FAQ page here. Twitter: @AGWilliamTong Facebook: CT Attorney General Media Contact: Elizabeth Benton [email protected] Consumer Inquiries: 860-808-5318 [email protected] Twitter Facebook Email Print